Leo Famulari <l...@famulari.name> skribis: > On Sat, Jul 16, 2016 at 09:04:47PM +0200, nee wrote: >> ./certtool: line 83: datefudge: command not found >> >> You need datefudge to run this test >> >> FAIL: name-constraints >> ====================== >> >> Loaded 3 certificates, 1 CAs and 0 CRLs >> >> Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key >> Infrastructure >> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key >> Infrastructure >> Output: Not verified. The certificate is NOT trusted. The certificate >> issuer is unknown. >> >> Subject: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key >> Infrastructure >> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Root CA,OU=Public Key >> Infrastructure >> Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key >> Infrastructure >> Output: Verified. The certificate is trusted. >> >> Subject: C=US,O=Foo Bar Inc.,CN=bazz.foobar.com >> Issuer: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key >> Infrastructure >> Checked against: C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key >> Infrastructure >> Output: Not verified. The certificate is NOT trusted. The certificate >> chain uses expired certificate. >> >> Chain verification output: Not verified. The certificate is NOT trusted. The >> certificate chain uses expired certificate. >> >> name constraints test 1 failed > > The test certificates have expired. > > I think we need to apply this patch with a graft, from the gnutls_3_4_x > branch: > https://gitlab.com/gnutls/gnutls/commit/47f25d9e08d4e102572804a2aed186b01db23c65 > > The effect is to skip the test, because we are missing the datefudge > program [0]. > > Or, we could package datefudge and add it to the gnutls recipe.
Interesting failure mode. When Hydra is operational again, we can simply update GnuTLS, I think. In the meantime grafting is a good idea. Would you like to try that? Thanks for the analysis! Ludo’.
